~ “Know your network before a hacker does.”

BatchWiper

BatchWiper is a Trojan that can delete every file and user profiles on the hard drive of compromised users. This Trojan uses an extremely simple attack vector of creating BAT files and then using them to delete files on different drivers at predefined times.

Infection and Propagation Vectors

The Trojan comes in a dropper with the filename “GrooveMonitor.exe” which is a self-extracting RAR file. We don’t have details about the infection vector, but based on the dropper it could be deployed using USB drives or phishing emails.

Prevention

Users are requested to exercise caution while opening unsolicited emails and unknown links. Users are advised to update Windows and third-party application security patches and virus definitions on a regular basis and have proper filtering rules.

Characteristics and Symptoms

Description

Upon execution, the Trojan (GrooveMonitor.exe) drops several files like SLEEP.EXE, juboot.exe, jucheck.exe in the %system32% folder.

The GrooveMonitor.exe then creates a process for juboot.exe. This process drops juboot.bat in the %Temp% folder and opens cmd.exe which runs the juboot.bat file.

The juboot.bat file adds registry entry for jucheck.exe and also creates a thread for jucheck.exe. The contents of juboot.bat are as below.

As can be seen from the registry changes the malware maintains persistence by executing the jucheck.exe file every time the system boots. No external connections to any IP address or URLs were observed. After jucheck.exe is executed it creates jucheck.bat.

The jucheck.bat deletes juboot.exe and GrooveMonitor.exe from the Start Menu folder. Then the bat files checks the system date and if it matches one of the predefined dates it executes the wiping routine. This routine checks for system drives and it then deletes every file on those drives with the drive letters D,E,F,G,H or I, along with files on a logged-in user’s Desktop.

Some of the dates the malware checks for are listed below.

Mon 12/10/2012

Tue 12/11/2012

Wed 12/12/2012

Mon 01/21/2013

Tue 01/22/2013

Wed 01/23/2013

Mon 05/06/2013

Tue 05/07/2013

Wed 05/08/2013

Mon 07/22/2013

Tue 07/23/2013

Wed 07/24/2013

Mon 11/11/2013

Tue 11/12/2013

Wed 11/13/2013

Mon 02/03/2014

Tue 02/04/2014

Wed 02/05/2014

Mon 05/05/2014

Tue 05/06/2014

Wed 05/07/2014

Mon 08/11/2014

Tue 08/12/2014

Wed 08/13/2014

Mon 02/02/2015

Tue 02/03/2015

Wed 02/04/2015

Clearly the malware author was thinking ahead and this might have been stage one of a targeted attack waiting to happen in the future. MD5s of some files that are dropped.

About Me

Currently working with a finance organisation in their security engineering team. I'm expertise in Security Architecture, Security Design and Consulting areas and have experience with most of the vendors within security domain.